Many applications contain secrets that must be protected from unauthorized access. Further, many computing architectures require exposing these secrets to system software, such as an operating system (OS) kernel, under the assumption that the system software can be trusted. For instance, OS components executing within the OS kernel have full access to the system's memory, and thus access to application secrets stored within the system's memory. As such, the safety of application secrets is susceptible to attacks by compromised and/or malicious system software.
Isolating the execution of an application is one security practice utilized to protect application data from unauthorized access. Isolation often includes providing a tightly controlled set of resources to an application. However, isolation is primarily used to protect an application from untrustworthy applications running on the same system. Further, isolation techniques commonly require the use of two operating systems or two virtual machines, which is inefficient, resource intensive and/or requires modification to application code.